Executive Summary
Pterodactyl is a Linux machine that chains three critical vulnerabilities to achieve complete system compromise. The attack path leverages:
CVE-2025-49132 - PHP PEAR Remote Code Execution
Database credential extraction from Laravel configuration
CVE-2025-6018 - PAM environment variable injection
CVE-2025-6019 - UDisks2 XFS filesystem privilege escalation
This machine demonstrates the importance of proper session management, polkit authorization boundaries, and the dangers of chaining seemingly low-impact vulnerabilities into full system compromise.
Reconnaissance & Enumeration
Host Configuration
First, we add the target to our hosts file for proper name resolution:
echo "10.129.5.168 pterodactyl.htb panel.pterodactyl.htb" | sudo tee -a /etc/hosts
Subdomain Discovery
Using ffuf to brute-force virtual hosts:
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt \
-u http://pterodactyl.htb/ \
-H "Host: FUZZ.pterodactyl.htb" -fw
Discovery: panel.pterodactyl.htb
This subdomain hosts the Pterodactyl Panel application - a popular game server management platform built on Laravel (PHP framework).
Vulnerability Identification
Checking for PHP configuration disclosure:
curl http://panel.pterodactyl.htb/phpinfo.php
Key Finding: PEAR (PHP Extension and Application Repository) is enabled with writable configuration paths.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
💬 Need help while solving?
I’ve got your back - reach out anytime:
Email: [email protected]
Keep hacking, keep learning, keep winning. 🎯
